Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

MITIGATING IPV6 SECURITY THREATS

After years of work in mitigating threats to the current version of networking protocols (Internet Protocol version 4- IPv4), network defenders can implement defense in depth by leveraging an array of capabilities like Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Security Information and Event Management (SIEM) tools and Unified Threat Management (UTM) tools. Capabilities have evolved in IPv4 security that enable all those functions to be hosted on singled Deep Packet Inspection (DPI) platforms. In the IPv4 world, the threats are still real and still require this defense in depth approach, but savvy network defenders have DPI and other tools at the ready to help mitigate these threats.
Bob Gourley

After years of work in mitigating threats to the current version of networking protocols (Internet Protocol version 4- IPv4), network defenders can implement defense in depth by leveraging an array of capabilities like Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Security Information and Event Management (SIEM) tools and Unified Threat Management (UTM) tools.  Capabilities have evolved in IPv4 security that enable all those functions to be hosted on singled Deep Packet Inspection (DPI) platforms.  In the IPv4 world, the threats are still real and still require this defense in depth approach, but savvy network defenders have DPI and other tools at the ready to help mitigate these threats.

But something new is coming.  The next generation Internet Protocol, known as IPv6 is replacing IPv4.  There are many new features of IPv6 which will aid in network administration and hold the potential of significantly enhancing the functionality of communications systems.   But there are two dangers that require the attention of network administrators:

1) covert attack channels and
2) security monitoring.

Both these dangers can be mitigated, but only by CIO/CTO action.

The threat of covert channels is a surprising one.  If you have bought network devices over the last several years you might not know it but they are perfectly capable of running IPv6. If you work in the federal space you have been mandated to buy equipment that is IPv6 capable so your entire infrastructure might be made up of equipment that can run this protocol.  Hackers have engineered tools that let them establish IPv6 network communications on IPv4 networks using this IPv6 capability.  The result, new avenues of attack are opened up, and new covert channels for data extraction are established that current IPv4 networking monitoring devices have a hard time catching.

I’d also like to make an assertion now, one that I hope you can disprove:  If your network has devices capable of running IPv6 and you assume that is not being used, the odds are that unauthorized users are already exploiting you.  Common hacker practices are to use IPv6 to run Internet Relay Chat (IRC) channels over unsuspecting IT enterprises. Others use that as the covert channel to control tools and there is a very good chance that is happening in your nets today. So, my assertion: If you have not consciously taken steps to mitigate this threat of a covert IPv6 channel in your IPv4 network, you are being used right now.

Another challenge is that even if your IPv6 implementation is intentional, there are few monitoring and event management tools available to security professionals for managing the security posture of the network.  Just because a device was built to contribute security for IPv4 does not means it can help security with IPv6, in fact in most cases legacy security devices will not work with IPv6.

My recommendations:

  • Get smart on IPv6.  You have some experts in your enterprise, but it is time to dive deep into the details yourself, if you have not done so already.
  • Look for capabilities that can detect and mitigate the use of covert IPv6 networks on your IPv4 systems.  I know of only one (Assure6).
  • Plan now for an enhancement in your security tool suite to include new platforms that are IPv6 capable.  Understand that the threat is waiting and when you add IPv6 equipment you have to add security monitoring/defense/DPI.

 

Comment

Submitted by Kent Bartlett (not verified) on Fri, 01/16/2015 - 17:23

Permalink

This article was terrific on helping to bring awareness to the IPv6 tunneling issue and the security implications. Research has shown that a serious security risk during this transitional phase is that administrators may be unaware of IPv6 tunnels within their networks. IPv6 services may be accessed unknowingly, IPv4 network address translators may be traversed via these tunnels, and attacks may be mounted against end hosts that now have a new network access point available on their systems. As a result, the need for a security tool that can monitor the network for these tunneling protocols has become apparent. mZeal Communications was awarded an Air Force SBIR project to research and address this very issue. The objective of the Expert Validation of IPv4-6 Security in Transitional Areas (EVISTA) project was to create an intelligent software solution designed to aid users and administrators in addressing their security concerns during the IPv4 to IPv6 transition phase. The initial priorities of the project were to identify some key use cases for the system and to determine where in the network topology EVISTA would reside. The two primary use cases for EVISTA are i) to assess end host vulnerabilities in a transitional network by evaluating open ports on the end host and ii) to detect and prevent active attacks by authorizing IPv6 tunnel use and IPv6 service access. The EVISTA architecture was built with the following core framework technologies: an intrusion detection system (IDS), a port scanning mechanism, and a decision engine. The IDS is used to monitor the network and detect tunnel use for authorization purposes; the port scanning mechanism allows EVISTA to assess the IPv6 firewall configuration of end hosts; and the decision engine helps EVISTA to make decisions on actions to perform based on the network in which it resides. For reporting, a web-based administrative subsystem was developed to provide administrators with visibility into IPv6 tunneling use within the network. In general, the architecture was developed with extensibility and scalability as key design objectives. From a security perspective, it includes mechanisms to ensure the system itself is secure against attacks, specifically its communications between remote components. EVISTA has reached a TRL 5 and can be customized for deployment in a short period of time. There are many enhancements in the pipeline for the EVISTA system, including further network sensing capabilities, threat mitigation techniques, and authorization and authentication approaches. We welcome any discussion on how EVISTA might be able to address this security vulnerability in existing networks. kbartlett@mzeal.com

Submitted by Greg McDermott (not verified) on Fri, 01/16/2015 - 17:23

Permalink

Mu Dynamics, Inc., the leader in testing next-generation network services, and the University of New Hampshire InterOperability Lab (UNH-IOL), today announced the availability of pre-packaged IPv6 test content for use by network equipment manufacturers, Tier-1 global service providers and government agencies. This test content is sorely needed by the industry as many organizations are struggling to define and implement a testing strategy for the transition to IPv6. With IPv4 addresses expected to reach exhaustion by early 2011, organizations need to take action now. By leveraging these test assets, organizations can immediately start their IPv6 testing initiatives and benefit from industry best practices. Equipment manufacturers can also perform the tests required for the USGv6 Test Program before utilizing the testing services delivered by UNH-IOL to ensure first-time success. UNH-IOL is an independent provider of broad-based testing and standards conformance services for the networking industry, and is one of only two accredited labs to offer USGv6 testing and certification services. Using the Mu Test Suite, UNH-IOL developed this test content for the Network Protection Device (NPD) testing service of the USGv6 test program. The test content encompasses 27 categories of tests for firewalls, application firewalls, IDSs and IPSs. The University of New Hampshire InterOperability Lab is pleased to make available the IPv6 test content to help organizations kick-start their IPv6 testing and certification initiatives for network protection devices, said Erica Johnson, director of the UNH InterOperability Lab. By using the same tests we use for the USGv6 Test Program, organizations can have confidence that they are leveraging industry best practice tests to mitigate the risk associated with the IPv6 transition. The test content contains ten of thousands of automated test cases including: " Functional verification tests that ensure that IPv6 implementations are compliant with the IETF specifications and best practices. For example, ensuring that the NPD blocks packets with a range of illegal addresses and routing headers, properly handles IPSec extension headers, and recognizes a variety of tunneling methods such as 6rd, 6to4, ISATAP, Teredo and others. " Security tests that deliver a wide range of known exploits and vulnerabilities to validate that the NPD can detect malicious content, port-scans and known attacks even when delivered over tunnels. " Interoperability tests that ensure the NPD can filter traffic based on standard IPv6 extension headers, TCP/UDP headers over IPv6, and all possible ICMPv6 Types and Codes. Almost every network equipment manufacturer, Tier-1 global service provider and government agency is struggling to deal with the challenges of the IPv6 transition to support a dual-stack environment, said Simon Berman, vice president of products, Mu Dynamics. With this new test content, customers can now jump-start their IPv6 testing, benefit from industry best practices and know that they are leveraging the expertise of UNH-IOL.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA